IT Auditing in System

Development Life Cycle

By: Ms. Nor Halwani Binti Md Radzi
 Objectives

 Software, computer system and application

 Understand what SDLC is
 The importance of SDLC in IT Project
 Participants In Systems Development
 Information Systems Acquisition
 Commercial Systems
 SDLC - Systems Planning
 SDLC - Systems Analysis
 SDLC- System Conceptual Design
 SDLC - System Evaluation and Selection
 SDLC- Detailed Design
 SDLC- Application Programming and Testing
 SDLC - System Implementation
 Software, System and Applications

 Software is a computer programs, procedures, and possibly

associated documentation and data pertaining to the
operation of a computer system.
 A computer system is a basic, complete and functional
computer, including all the hardware and software required
to make it functional for a user.
 An application is any program, or group of programs, that is
designed for the end user. Applications software (also called
end-user programs) include such things as database
programs, word processors, Web browsers and
spreadsheets.
 SDLC

 A framework that describes the activities performed at

each stage of a software development project.
 SDLC stands for
 Systems Development Life Cycle
 First, SDLC is a Life Cycle.
 All systems have a life cycle or a series of stages they naturally
undergo.
 The number and name of the stages varies, but the primary
stages are conception, development, maturity and decline.
 The systems development life cycle (SDLC) therefore, refers
to the development stage of the system’s life cycle.
The SDLC

 Requirements Definition:
done by customers
 Analysis: analyze
requirements to form an
initial software model
 Design: Detailed definition of
inputs/outputs and processes
including data structures,
software structure, etc.
The SDLC

 Coding: Design translated

into code.
 Coding includes SQA activities
such as inspections, unit tests
and integration tests
 Many takeoffs from this:
These tests done by
developers: individual (unit),
group or team (integration
tests….)
The SDLC

 System Tests: Goal: to

discover errors / correct
errors to achieve an
acceptable level of quality.
Carried out by developers
prior to delivery.
 Sometimes ‘acceptance tests’
carried out by customer or in
conjunction with developer
The SDLC

 Installation / Conversion:
 After testing, system is installed
and/or replaces an existing
system;
 Requires software / data
conversion
 Important to not interrupt daily
activities during conversion
process.
 Install incrementally, run in
parallel; turn switch and live with
it, etc.
 The Importance of SDLC

 Ensuring that high quality systems are delivered on-time

and on-budget
 Providing strong management controls over development
activities
 Maximizing the productivity of the development team
Participants In Systems Development

 Systems professionals are systems analysts, systems

engineers, and programmers.
 End users are those for whom the system is built
 Stakeholders are individuals either within or outside the
organization who have an interest in the system but are
not end users
 Accountants/Auditors are those professionals who address
the controls, accounting, and auditing issues for systems
development
 Why Are Accountants and Auditors
Involved with SDLC?

 The creation of an information system entails significant

financial transactions
 The nature of the products that emerge from the SDLC
How Are Accountants Involved with
the SDLC?

 Accountants are users

 Accountants participate in systems development as
members of the development team.
 Accountants are involved in systems development as
auditors
Information Systems Acquisition

 They develop customized systems in-house through

formal systems development activities
 They purchase commercial systems from software
vendors
 In-House Development

 Many organizations require systems that are highly

tuned to their unique operations.
 These firms design their own information systems
through in-house systems development activities.
 In-house development requires maintaining a full-time
systems staff of analysts and programmers who
identify user information needs and satisfy their
needs with custom systems
 Commercial Systems

 Four factors have stimulated the growth of the commercial

software market:
(1) the relatively low cost of general commercial software as
compared to customized software;
(2) the emergence of industry-specific vendors who target their
software to the needs of particular types of businesses;
(3) a growing demand from businesses that are too small to afford
in-house systems’ development staff; and
(4) the trend toward downsizing of organizational units and the
resulting move toward the distributed data processing
environment, which has made the commercial software option
more appealing to larger organizations
Types of Commercial Systems

 Turnkey systems are completely finished and tested

systems that are ready for implementation
 General accounting systems are designed to serve a
wide variety of user needs
 Special-purpose systems that target selected
segments of the economy
Types of Commercial Systems cont..

 Office automation systems are computer systems that

improve the productivity of office workers
 Backbone systems provide a basic system structure on
which to build
 Vendor-supported systems are hybrids of custom systems
and commercial software
Advantages of Commercial Software

 Implementation time
 Cost
 Reliability
 Disadvantages of Commercial
Software

 Independence
 The need of customized system
 Maintenance
 The Systems Development
Life Cycle

 New systems development involves conceptual steps

that can apply to any problem-solving process:
 Identify the problem,
 Understand what needs to be done,
 Consider alternative solutions,
 Select the best solution, and, finally,
 Implement the solution
 Systems maintenance, constitutes the organization’s
program change procedures
 Systems Planning—Phase I

 The objective of systems planning is to link individual

system projects or applications to the strategic objectives
of the firm
 Effective systems planning provides goal congruence
Who Should Do Systems Planning?

 Steering committee may include the chief executive

officer, the chief financial officer, the chief information
officer, senior management from user areas, the internal
auditor, and senior management from computer services
 Systems planning occurs at two levels:
 Strategic systems planning and
 Project planning
 Strategic Systems Planning

 Involves the allocation of systems resources at the

macro level.
 It usually deals with a time frame of 3 to 5 years
 Why Perform Strategic Systems
Planning?

 A plan that changes constantly is better than no plan

at all
 Strategic planning reduces the crisis component in
systems development
 Strategic systems planning provides authorization
control for the SDLC
 Cost management
 Project Planning

 The purpose of project planning is to allocate resources to

individual applications within the framework of the
strategic plan
 Identifying areas of user needs,
 Preparing proposals,
 Evaluating each proposal’s feasibility and contribution to the
business plan,
 Prioritizing individual projects, and
 Scheduling the work to be done
 The product of this phase consists of two formal
documents:
 The project proposal  provides management with a basis
for deciding whether to proceed with the project
 The project schedule  represents management’s
commitment to the project
 The Auditor’s Role in Systems
Planning

 Auditors routinely examine the systems planning phase of

the SDLC
 Systems Analysis—Phase II

 Systems analysis is actually a two step process

involving first a survey of the current system and then
an analysis of the user’s needs
 The deliverable from this phase is a formal systems
analysis report, which presents the findings of the
analysis and recommendations for the new system
 The Survey Step

 The analyst often begins the analysis by determining

what elements, if any, of the current system should
be preserved as part of the new system
 Gathering Facts

 Data sources. These include external entities, such as

customers or vendors, as well as internal sources from
other departments.
 Users. These include both managers and operations users.
 Data stores. Data stores are the files, databases, accounts,
and source documents used in the system.
 Processes. Processing tasks are manual or computer
operations that represent a decision or an action triggered
by information
 Data flows. Data flows are represented by the
movement of documents and reports between data
sources, data stores, processing tasks, and users.
 Controls. These include both accounting and
operational controls and may be manual procedures
or computer controls.
 Transaction volumes. The analyst must obtain a
measure of the transaction volumes for a specified
period of time
 Error rates. Transaction errors are closely related to
transaction volume
 Resource costs. The resources used by the current
system include the costs of labor, computer time,
materials (such as invoices), and direct overhead
 Bottlenecks and redundant operations. The analyst
should note points where data flows come together
to form a bottleneck
 Fact-Gathering Techniques

 Observation
 Task Participation
 Personal Interviews
 Reviewing Key Documents
 The Auditor’s Role in Systems
Analysis

 The accountant/auditor should be involved in the

needs analysis of the proposed system to determine if
it is a good candidate for advanced audit features and,
if so, which features are best suited for the system
 Conceptual Systems Design—Phase
III

 The purpose of the conceptual design phase is to produce

several alternative conceptual systems that satisfy the
system requirements identified during systems analysis
 Two approaches to conceptual systems design:
 The structured approach  develops each new system from
scratch from the top down
 The object-oriented approach  from the bottom up through
the assembly of reusable modules rather than create each
system from scratch
System Evaluation and Selection—
Phase IV

 An optimization process that seeks to identify the

best system
 Involves two steps:
1. Perform a detailed feasibility study  technical,
economic, legal, operational, and schedule
2. Perform a cost-benefit analysis
The Auditor’s Role in Evaluation and
Selection

 Only escapable costs are used in calculations of cost

savings benefits.
 Reasonable interest rates are used in measuring present
values of cash flows.
 One-time and recurring costs are completely and
accurately reported.
 Realistic useful lives are used in comparing competing
projects.
 Intangible benefits are assigned reasonable financial
values.
 Detailed Design—Phase V

 The purpose of the detailed design phase is to produce a

detailed description of the proposed system that both
satisfies the system requirements identified during
systems analysis and is in accordance with the
conceptual design
 Perform a System Design Walkthrough
 Review System Documentation
 Application Programming and
Testing—Phase VI

 Select a programming language from among the

various languages available and suitable to the
application
System Implementation—Phase VII

 Database structures are created and populated with

data, equipment is purchased and installed,
employees are trained, the system is documented,
and the new system is installed
 Testing the Entire System
 Documenting the System
 Converting the Databases
 Converting to the New System
 Cold Turkey Cutover
 Phased Cutover
 Parallel Operation Cutover
Systems Maintenance—Phase VIII

 Systems maintenance is a formal process by

which application programs undergo changes
to accommodate changes in user needs